hxxp://ww1[.]mamaslittleitalyar[.]com/px[.]gif?ch=1&rn=2[.]8737089470916874

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ww1.mamaslittleitalyar.com/px.gif?ch=1&rn=2.8737089470916874

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133289148721623477"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1788	chrome.exe
1788	chrome.exe
3512	chrome.exe
3512	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe
Token: SeShutdownPrivilege	1788	chrome.exe
Token: SeCreatePagefilePrivilege	1788	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
3216	firefox.exe
3216	firefox.exe
3216	firefox.exe
3216	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
3216	firefox.exe
3216	firefox.exe
3216	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3216	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1524	1788	chrome.exe	84
PID 1788 wrote to memory of 1524	1788	chrome.exe	84
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 112	1788	chrome.exe	85
PID 1788 wrote to memory of 4368	1788	chrome.exe	86
PID 1788 wrote to memory of 4368	1788	chrome.exe	86
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87
PID 1788 wrote to memory of 1216	1788	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://ww1.mamaslittleitalyar.com/px.gif?ch=1&rn=2.8737089470916874
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99adc9758,0x7ff99adc9768,0x7ff99adc9778
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:2
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2784 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2984 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3068 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3548 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:8
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5264 --field-trial-handle=1820,i,8369789461995071762,399080997620371476,131072 /prefetch:1
  2⤵
  PID:484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4520
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.0.879103456\1900112524" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cca0d859-eb3d-489c-873e-27f7626cdd87} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 1932 225443c3258 gpu
    3⤵
    PID:3284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.1.1658257556\1306510067" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d55d671-8387-49c3-9155-60cc8239f473} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 2316 22537472558 socket
    3⤵
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.2.1427443651\420223102" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3156 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc08c528-c703-434b-9170-1d14b14d6005} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 3168 225480ceb58 tab
    3⤵
    PID:1748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.3.1812161252\553964126" -childID 2 -isForBrowser -prefsHandle 3356 -prefMapHandle 3352 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35702a6e-3937-4092-a198-fe314cdcc5e6} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 3420 22537467558 tab
    3⤵
    PID:972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.4.389407544\1231770144" -childID 3 -isForBrowser -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8168e68b-6d00-47c7-b0be-e08376c61d05} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 4112 225486d1458 tab
    3⤵
    PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.6.703188926\1827852653" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4cf4e46-1ac0-44aa-80fd-41f23e963df8} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 4952 2254a51b058 tab
    3⤵
    PID:4216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.5.714112085\283995009" -childID 4 -isForBrowser -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e9c3df-fbe5-41e4-b234-2277fdad6917} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 4860 2254a322e58 tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3216.7.2066541119\23620524" -childID 6 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d086989d-7152-4cf8-9a9b-06842b3773bb} 3216 "\\.\pipe\gecko-crash-server-pipe.3216" 5168 2254a519b58 tab
    3⤵
    PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
95d421e9fe61b55908b974fc0736d68c

SHA1
ad6b1f6dffdebcc2834bab882a1083bad5920134

SHA256
3587587451822e936c750b05fc8beec9db8d058f9cfa329504d174fe4d947be5

SHA512
dea19319e6d5b6383b1126ff49e097d5c4a67de6cb8f873809234605be4543ab650d5931b90bbe3876f4d426e7caaec52c2bc6b36460b81631c0b03ddc12808d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d4916033ee3e08caee93927b3368475e

SHA1
e961ff414fb41f1e9ef712cc6f70e9994ee5b649

SHA256
0a4972e0dae58dcc1ba30a5fd00bd6509661b907f9b17aadfd74951ca3b1b4b3

SHA512
6718004b68266efed3352e459aee8e80d5cdf242521e76d721678265de436e118ee4af465c19910afb369a1b861808372198e3184f9037d180efa25aac53f41c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b3ac08752ebf569bd1f7343c576211e6

SHA1
1e22738dea0518398c1b79e63b1f488b1b03097c

SHA256
1028bbe85410a0f6d57bf5c47ce0c0cdd91f34a8269f6fda7f093079924ba31d

SHA512
3d732c2bf51816fb1d540b2f6d3f74d7ed4575c484968dc9b8aaa6f1ee09dbb79d1b5019831a95c74d533c16af3945d1079b1f6e9f948bc9b97b0595aa03044a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a0980cf2f16cdb31047380635fe97290

SHA1
d14247269ce5baeeba54fe76ae1b0afb7661b429

SHA256
cfeb9e4c4663378827d35f8563689650e9457b7792bf69dfd7375422dc2db80b

SHA512
bc4497d90c4586df3c561f89be73fa6389440fc65c8feaee1c4a9179c8dcaa3cbb0191e63125bc666b0d350595ee459dc50958337f28c9c09c6becce6233eb5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
349473b00fd50bbc1524e1c156c66f43

SHA1
bedaca7d1bfe49ad03949bd258d5c69b005aafe5

SHA256
c7df814c4abead2ffdfbc93741b7dfec1334022d1cb3fbcffcd6a54d63ce33de

SHA512
1c83a3092257ad2f18e065929404f03f47e9d982c7a234c14753e1e3a13e3167d5f28d27b976d460bbc66a767e7083edf0db9d60a9d144582d040ddb7fc3f082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
320362eb00e7932dca07294923dafab1

SHA1
2f080a9da10321f074a923d12b73d2aa86fb838e

SHA256
838528641208856ab7f947ebd32cb2930fa748e977ff957a7e09ebb4556a8b2d

SHA512
8d3901d6443b5060de959a083f86b9e379afda4cd31d40c57b7f57cd47694948e37e874babc3942122b22da1fc83d3377a68d27ac1494a13a5b5d90e458e353e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
dc7f6ba98c614351ccb22ba32cce55f5

SHA1
9f75c62ada0345d2fac6aee215a9b470a54d03e5

SHA256
0f627f3a1316756942a82a872bc8683663a11d33f6f1981d0248afd68f2b2095

SHA512
275a4584eac207f9526cb3881c2b0746e23cf5b7f97b25ea854ca451adaee05484b4681f50d1d18ee6bb885469325738836c46eda82c3b6490dee9f64694321f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
157KB

MD5
c767776742918dd7e390d87988b7ad3d

SHA1
c33f22dbb0bbd4220b0f1491400806e8078a1614

SHA256
d4a0fc8d0c4cea692d686662290ae9d39525f55ab23e7785ea8ebdeb5ace7662

SHA512
fe7e41e76c269a181e7c35f31f16fa2e47d231f22f4084af4c171ab77809cc59f34b8f93b9aa67ebe693b27d81f4c3b929cc3d7184582d4037f6dd4b7f36b59f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
3c34e7bcf152c9d705c144fbc3fb32a4

SHA1
0f68a18e5a4fcdbf3bf562c18ba30a87b62a3628

SHA256
6950db860fb6fb963def70d42b1919a9ad9ccd4712b7c8c6c75a37921ad1b4de

SHA512
a1c88aa0370e096b2a5b1a42c6d19da5006e6fbd4a80476dda1da4f41ec4ab622fa339494631ab7f9882c22df49261319995929af9b37e8993ab5de25201deb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
36331834798ffd19628d2d1eb4b3b1a6

SHA1
9fe1813510c873d96c777e2a3ce2de28dc71c9e6

SHA256
473b2991e5598c97bfaf664b7e732fb19e03d6219067e3eaba01a4c005309ff1

SHA512
e432c69eab2ce609587b0078a9cf35946f2974795da685b2fbe1bcae7847f951b05272a27ebabbc8cecb4fa2e34d4685f9128b24368124d0d2c2e5a8e2479416

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
2671cb438e20839542acaaa68889c1bc

SHA1
15c5861ab5dde8de516ae2b6377b08b95e7c4ee9

SHA256
0bab8e6f22f96e0aa7b72e8d8d6c7c2a2af17fb45309571e7698a874681d424e

SHA512
f2e2440c23b0a4cb4766869f6df58db6b8b9c8eda86e5ba567a95ff520d22a70dbaeeac1633f8c6553157b1b62d6aeb1d0f97334c50712edafd17f614732f9a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js

Filesize
6KB

MD5
9971fa8fa89a208685d3e30835832fb5

SHA1
5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

SHA256
13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

SHA512
02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2355c02c8237be4ea3c5cab1e9e3571a

SHA1
674752c02f89c68608999cdd4a6d4693dceb4722

SHA256
2f2d5d69202007cc5f07b1fa5f1552092616ddd4d983f65a943f88c3a4a79078

SHA512
17c6e335514e28169251189ec1e4203c75b8cca55d3821623a023888742ef45f395266f6252a5df7052478a6f52d421f96faffdda0bb5910df97248f04428828

Download Submit